TL;DR: Shadow IT in SaaS often enters through unapproved apps, unmanaged personal accounts, finance-detected purchases, and browser or endpoint activity that IT does not see, according to Zluri. The governance problem is not only app sprawl but the mismatch between how employees adopt tools and how identity, access, and compliance teams discover them.
NHIMG editorial — based on content published by Zluri: 4 Common SaaS Sources of Shadow IT
Questions worth separating out
Q: How should security teams discover shadow IT in SaaS environments?
A: Use layered discovery.
Q: Why does shadow IT create an identity governance problem?
A: Because the organisation often cannot see who owns the account, who approved it, or when it should be removed.
Q: What do organisations get wrong about SaaS shadow IT?
A: They treat it as a software inventory issue instead of a governance issue.
Practitioner guidance
- Correlate SaaS discovery across multiple sources Combine SSO, IDP, finance, direct integration, desktop agent, and browser telemetry before deciding whether an app is sanctioned, tolerated, or unknown.
- Map unsanctioned apps to identity owners Record who created, pays for, and uses each app so shadow IT can be assigned to a business owner and brought into review cycles.
- Review access lifecycles for shadow apps Apply joiner, mover, leaver controls to every discovered SaaS app, including accounts created outside IT, so offboarding and certification do not rely on memory.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- The exact SaaS discovery workflow across SSO, finance, direct integrations, desktop agents, and browser extensions.
- Implementation detail on how usage signals are normalised into activity scores across multiple telemetry sources.
- The platform-specific process for identifying redundant apps and idle subscriptions at scale.
- The article's practical examples of where shadow IT enters through project, communication, conferencing, and storage tools.
👉 Read Zluri's analysis of the four common SaaS sources of shadow IT →
SaaS shadow IT sources: what IAM teams need to know?
Explore further
Shadow IT in SaaS is a visibility failure before it is a spending problem. The article shows that employees adopt tools because they are easy to access and inexpensive, which means governance breaks at the point of first use rather than at the point of procurement. That makes SaaS discovery a control issue for IAM, IGA, and compliance teams, not just a cost-optimisation exercise. Organisations that treat shadow IT as a finance-only problem will keep missing access paths that sit outside policy.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How can teams reduce risk from unmanaged SaaS tools?
A: Standardise on central discovery, assign owners to every app, and fold discovered services into certification, offboarding, and renewal workflows. Once a tool is known, it should be governed like any other business system, including access scope, data sharing, and connected machine identities.
👉 Read our full editorial: Shadow IT in SaaS: the visibility gap IAM teams still face